My VPS is sending spam? How to trace?

[eth72]

Hi,
My VPS is supposedly sending spam from somewhere, as it was reported to spamcop... The headers do show my the IP address of my server (69.73.159.169). I'm not an expert and the maillog that I've checked doesn't show any unusual activity... Last month tech support supposedly locked things down. Is there any other way I can tell what script, user, or domain/whatever send this out? Tech support told me to contact spamcop for more info, but can't find any links to contact someone... Below is all the info I have, any advice is appreciated as I don't want my IP blacklisted all over the place!
Thanks,
Scott
---------------------
Return-Path: <Garfunkl49@msn.com>
Received: from jag.northwindnh.com (jag.northwindnh.com [69.73.159.169])
by kbns.zonk.pl (8.12.10/8.12.10) with SMTP id n61N6Qv1002317
for <x>; Thu, 2 Jul 2009 01:06:30 +0200
Received: from wubdtqtd (13.202.110.82)
by jag.northwindnh.com; Wed, 1 Jul 2009 19:06:13 -0400
Date: Wed, 1 Jul 2009 19:06:13 -0400
From: =?koi8-r?B?VmljIFNhbmNo?= <Garfunkl49@msn.com>
X-Mailer: WebMail_
Reply-To: =?koi8-r?B?VmljIFNhbmNo?= <Garfunkl49@msn.com>
X-Priority: 2 (High)
Message-ID: <2640_______________5136@msn.com>
To: =?koi8-r?B?TWljaGFsIFR5cmFsYQ==?= <x>
Subject: =?koi8-r?B?RGVhciBNaWNoYWwgVHlyYWxh?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------C78A5ADAFB4E3F"View entire message
Parsing header:
0: Received: from jag.northwindnh.com (jag.northwindnh.com [69.73.159.169]) by kbns.zonk.pl (8.12.10/8.12.10) with SMTP id n61N6Qv1002317 for <x>; Thu, 2 Jul 2009 01:06:30 +0200
Hostname verified: jag.northwindnh.com
zonk.pl received mail from sending system 69.73.159.169


1: Received: from wubdtqtd (13.202.110.82) by jag.northwindnh.com; Wed, 1 Jul 2009 19:06:13 -0400
No unique hostname found for source: 13.202.110.82

Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust anything beyond this header

Tracking message source: 69.73.159.169:
Routing details for 69.73.159.169
[refresh/show] Cached whois for 69.73.159.169 : abuse@jaguarpc.com
Using abuse net on abuse@jaguarpc.com
abuse net jaguarpc.com = abuse@jaguarpc.com
Using best contacts abuse@jaguarpc.com
Message is 19 hours old
69.73.159.169 not listed in dnsbl.njabl.org ( 127.0.0.8 )
69.73.159.169 not listed in dnsbl.njabl.org ( 127.0.0.9 )
69.73.159.169 not listed in cbl.abuseat.org
69.73.159.169 not listed in dnsbl.sorbs.net
69.73.159.169 not listed in accredit.habeas.com
69.73.159.169 not listed in plus.bondedsender.org
69.73.159.169 not listed in iadb.isipp.com

Finding links in message body
Recurse multipart:
Parsing HTML part

Resolving link obfuscation
http://kalbosperformancecycle.com/index/?unsubscribe
http://kalbosperformancecycle.com/index

Reports regarding this spam have already been sent:
Re: 69.73.159.169 (Administrator of network where email originates)
Reportid: 4322518448 To: abuse@jaguarpc.com
Re: http://kalbosperformancecycle.com/index (Administrator of network hosting website referenced in spam)
Reportid: 4322518494 To: abuse@theplanet.com
Re: http://kalbosperformancecycle.com/index/?unsubscribe (Administrator of network hosting website referenced in spam)
Reportid: 4322518505 To: abuse@theplanet.com

If reported today, reports would be sent to:
Re: 69.73.159.169 (Administrator of network where email originates)

abuse@jaguarpc.com

[JPC-Masood]

You can open a support ticket from the client dashboard at https://secure.jaguarpc.com/clients

[JPC-Masood]

If you are trying to contact spamcop, it won't help probably. I see you have cPanel on your server. Please contact support to activate SMTP tweak to block all direct smtp connections from your server. You also need to audit all your scripts as someone has remote access to your server through some security hole and is sending direct mails to remote servers.

[eth72]

Thanks, I did create a support ticket but after going back and forth was told to contact them (spamcop) for more header info and am stuck there... I was told they did a tweak last month to prohibit direct emails but it still appears to be happening. Is there any way I can determine what scripts are sending out? Is there any way to log every time an email is sent out? Obviously everything looks fine in /var/log/maillog... I'm not really sure how I could audit... Thanks again for your help,
Scott

[JPC-Masood]

The headers in that email do not show any mail server activity on your server. It just shows one line with your IP and that is on the receiving end of mail server. When email is sent by any mail server it adds timestamp and details from where it received the email. On cPanel server running exim, it will also have a mail ID in the header.

This means two things: (a) the spammer is using direct socket connection to deliver emails (b) the report is fake (yes it can happen sometimes).

In case of (a) there won't be any logs unless you create an iptable rule to log port 25 activity. But if you have the smtp tweak in place and have verified that it does block smtp connections from anything other than mail server, then (b) is the only choice. You can check with support if they can find any report from spamcop on this IP. We'll have the link to respond to spamcop regarding this report and can contest that our server does not allow direct smtp socket connections and there is no mail server activity, so this report is not valid.

[eth72]

Thanks again for all of your help and expertise. I'm rather embarrassed to say that there was indeed a script that somehow got uploaded into my OWN cgi-bin directory that was sending out spams. Only way I figured it out was looking in /var/log/messages and /var/log/messages.1 and found an extreme amount of FTP activity on my user account which didn't make sense. If only I knew how someone got a hold of my password to log in...
I have learned though when I get a spam complaint it's probably 99.9% true that my server is the culprit vs. something being spoofed somewhere...

Thanks again,
Scott